THE KEY

A nonprofit organization backed by the New York district attorney’s office and the City of London Police has a plan to dramatically strengthen one of the weakest links in the global cybersecurity ecosystem — small businesses.

The Global Cyber Alliance plans to strengthen that link with a “cybersecurity tool kit for small business” that it’s releasing today. The tool kit includes dozens of free cybersecurity tools, such as anti-virus and ransomware protection, along with guidance on how to install the tools and why they’re necessary.

Cities such as New York and London lose millions of dollars to global cybercrime networks but local police and prosecutors often have difficulty addressing threats based outside their borders. When the New York District Attorney’s Office and the London police launched GCA in 2015 they described it as an effort to work across municipal and national borders to reduce overall digital threats. “A crime prevented is far better than a crime prosecuted,” New York District Attorney Cyrus Vance said at the time.

If the tools are properly installed, they can reduce small businesses’s cyber risk by more than 80 percent, GCA President Phil Reitinger told me in an exclusive preview.

That, in turn, will improve the security of consumers that buy those companies’ goods, said Ron Green, chief information security officer at MasterCard, which is partnering with GCA on the tool kit.

“People have to have faith and trust that their transactions will be safe and secure,” Green told me. “We don’t want cardholders thinking: ‘I don’t trust that local coffee shop or that small online business.' They’ll be leaving out a big portion of merchants and vendors.”

It will also reduce vulnerabilities for larger companies that have numerous small businesses in their supply chains, Green said.

Smaller companies are frequently hackers' first points of entry for larger breaches, such as the 2013 Target breach, which compromised the personal information of more than 40 million customers and began with a breach of the retailer’s small HVAC vendor.

GCA, which launched in 2015 and is also backed by the nonprofit Center for Internet Security, focuses on initiatives that measurably reduce cybersecurity risk for the broader Internet ecosystem. In the past, it has built a tool that alerts consumers to malicious websites and sponsored a program to help companies protect their email domains from phishing.

The tool kit goes a step further, collecting GCA tools and programs together with free commercial tools from vendors including Microsoft and Google into a full cybersecurity package — one that’s easy to use for people without technical expertise.

“We wanted the tool kit to be usable by that 5- to-10-person organization, like a pizzeria or dry cleaner,” Reitinger told me. “These are the merchants you deal with on a day-to-day basis. They’re your friends. They’re your neighbors. And you want to know you can patronize them and your personal information will be safe.”

GCA plans to tout the tool kit to small businesses through about 240 partner organizations, including national governments, companies and business associations in different regions of the world, Reitinger told me. MasterCard also plans to urge its small- business customers to adopt the tool kit, Green told me.

There’s a lot of cybersecurity guidance for small businesses, but most of it isn’t written for a totally nontechnical audience, Reitinger told me. There are also a fair number of free cybersecurity tools, but not much guidance to help small businesses distinguish the truly useful tools from the snake oil.

The benefit of the GCA tool kit is that all the tools have been vetted and there are plain English descriptions of why companies need them, he said.

“These are organizations that are below the cybersecurity poverty line,” Reitinger told me. “They need someone to make it easier for them to take the basic steps to protect their security.”

In addition to anti-virus and ransomware protection, the tool kit includes multi-factor authentication systems that prevent hackers from seizing employee or customer data using stolen passwords, tools that inventory all of a company’s IT assets and a program that prevents hackers from spoofing company emails for phishing attacks.

The tools all have a ratings feature, so small businesses can spot things that are difficult to use and developers have an incentive to make them more easy to use.

The tool kit includes lists of cybersecurity best practices aimed at users without a technical background.

“These basic steps are really easy, but as a security market we’re failing to communicate that to a nontechnical audience,” Adnan Baykal, GCA’s global technical adviser, told me. “These are nontechnical, low-hanging fruit steps that can be implemented by anyone.”

The tool kit was written in English, but it’s equipped with a Google Translate feature so users can read computer translations in other languages. The alliance eventually plans to offer authorized translations into several languages so the tool can be used more easily outside the United States and United Kingdom, Reitinger said.

Correction: This story has been updated to clarify that GCA funding comes from the City of London Police and Cyrus Vance is currently Manhattan District Attorney. 

PINGED, PATCHED, PWNED

PINGED: Iranian cyberattacks last month affected more than a half-dozen federal agencies and led the Department of Homeland Security to issue an emergency order during the partial federal government shutdown requiring civilian agencies to protect their systems, the New York Times's Nicole Perlroth reported. Many experts believe the hacks are tied to the Trump administration's decision to withdraw from the Iranian nuclear deal, Perlroth reported. “Security researchers said the hacks, which exploited underlying weaknesses in the internet’s backbone, were continuing and were more damaging and widespread than agency officials had acknowledged,” according to the Times.

Meanwhile, China has increased its efforts to steal military and trade secrets amid escalating trade tensions with Washington -- even though a 2015 agreement between the United States and China aimed to put an end to hacking operations for commercial gain. Additionally, Chinese hackers have refined their techniques. “Rather than going at targets directly, they have used a side door of sorts by breaking into the networks of the targets’ suppliers,” Perlroth reported. “They have also avoided using malware commonly attributed to China, relying instead on encrypting traffic, erasing server logs and other obfuscation tactics.”

PATCHED: Australia’s conservative Prime Minister Scott Morrison said a “sophisticated state actor” carried out a hack against parliament’s computer network and the country’s major political parties, The Washington Post’s Rick Noack reported. Morrison said Australian authorities discovered that an attack affected the networks of political parties as they worked to identify a “malicious intrusion” on parliamentary networks. The prime minister also said in a statement to the Australian House of Representatives that “there is no evidence of any electoral interference” as the country is expected to hold elections by the end of May.

“It is unclear how sophisticated the hack was, but the extent of the intrusion suggests a level of expertise that is usually associated with larger adversaries, such as Moscow or Beijing,” my colleague reported. “The government in Canberra has accused both countries of hacks targeting Australian entities in recent years, but Beijing’s political interests in the region are likely to make China the key public suspect in this or any future intrusion.” 

Morrison said authorities “acted decisively to confront” the attack and are securing the systems that were targeted. “The Government has chosen to be transparent about these matters,” he said. “This in itself is an expression of faith by our Government in our democratic system and our determination to defend it.”

PWNED: Senior Israeli officials, including the head of the Shin Bet internal security agency, have expressed worries about potential foreign efforts to interfere in the country's elections, Bloomberg News's Gwen Ackerman reported.

The Israeli government doesn't have a coordinated approach to protect its election — which is scheduled for April 9 — against disinformation and other forms of interference even though the country is a powerful player in the cybersecurity industry. “I can’t say I’m at ease,” said Hanan Melcer, a Supreme Court judge who helms the Central Election Committee, according to Bloomberg News. “I’m concerned.”

Volunteers said they found fake online accounts linked to Iran, Saudi Arabia and Russia as well as Israeli political parties. “Cyber security specialists say a major aim of peddling disinformation and fake news is to deepen the rifts in Israel’s already polarized society, inflaming conflicts between conservatives and liberals, Jews and Arabs, secular and religious,” Ackerman reported. “Another is to infiltrate Israeli news sites and distribution lists to disseminate disinformation.”

PUBLIC KEY

— Beijing accused Washington of trying to hinder China's economic development as the United States seeks to convince allies to prevent Chinese telecommunications giant Huawei from building their 5G networks because of security concerns, the Associated Press's Joe McDonald reported. The United States has said that Huawei could be used as a platform for Chinese spying. “The U.S. government is trying to ‘fabricate an excuse for suppressing the legitimate development’ of Chinese enterprises, said the spokesman for the Chinese foreign ministry, Geng Shuang,” the AP reported. “He accused the United States of using ‘political means’ to interfere in economic activity, ‘which is hypocritical, immoral and unfair bullying.’”

— More cybersecurity news from the public sector:

With $60 and a few fake Facebook accounts, researchers were able to identify service members in a military exercise, track their movement, and even persuade them to disobey orders.
Wired
PRIVATE KEY

— British lawmakers said Facebook “intentionally and knowingly violated both data privacy and anti-competition laws” in Britain, The Post's Tony Romm reported. “The sharp rebuke came in a 108-page report written by members of Parliament, who in 2017 began a wide-ranging study of Facebook and the spread of malicious content online,” my colleague wrote. “They concluded that the United Kingdom should adopt new regulations so lawmakers can hold Facebook and its tech peers in Silicon Valley accountable for digital misdeeds.”

— More cybersecurity news from the private sector:

The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies.
KrebsOnSecurity.com
The loophole lets sites block visitors they can’t track
The Verge
SECURITY FAILS

— Internal hacking teams at the Census Bureau found that information from the 2010 Census about more than 100 million people could be vulnerable to a potential privacy lapse, the AP's Seth Borenstein reported. John Abowd, chief scientist for the agency, also said that the Census Bureau is enacting a new system to protect privacy for the 2020 Census. “In the internal tests, Abowd said, officials were able to match [up] 45 percent of the people who answered the 2010 census with information from public and commercial data sets such as Facebook,” according to the AP. “But errors in this technique meant that only data for 52 million people would be completely correct — little more than 1-in-6 of the U.S. population.”

THE NEW WILD WEST

— Security researchers said hackers with alleged ties to the Venezuelan government of President Nicolás Maduro sought to obtain activists' log-in information to services including Gmail and Facebook after setting up a fake website, according to Motherboard's Lorenzo Franceschi-Bicchierai. “While studying the fake website, researchers found phishing sites hosted on the same IP address,” Motherboard reported. “And there’s evidence that the people behind the second, apparently fake and malicious, website were working for the government of Maduro, according to security firm CrowdStrike and independent researchers.”

— More cybersecurity news from abroad:

British security officials do not support a full ban of Huawei from national telecoms networks despite U.S. allegations the Chinese firm and its products could be used by Beijing for spying, people with knowledge of the matter said.
Reuters
Germany has experienced a big increase in the number of security incidents hitting critical infrastructure such as power grids and water suppliers, the BSI cybersecurity agency said on Sunday, adding however that they were not all due to hacking.
Reuters
Three online video channels designed to appeal to millennials have collected tens of millions of views on Facebook since September. But the pages pushing the videos do not disclose that they are backed by the Russian government.
CNN
ZERO DAYBOOK

Today: 

Coming soon:

EASTER EGGS

Trump on Venezuela crisis: “All options are open.”

Nice's 135th carnival parade pokes fun at world leaders:

SNL’s Trump emergency declaration vs. the real thing: